What is claimed is: 

1 . A computer program product for enabling an identity change during a certificate-based 
host access session, said computer program product embodied on a computer-readable medium 
and comprising: \ 

computer-readable program code means for processing a first sign-on during a secure 
session using a digital certificate, further comprising: 

computer-readable program code means for establishing said secure session from 
a client machine to a server machine using said digital certificate, wherein said digital certificate 
represents an identity of said client machine or a user thereof; 

compuier-readable program code means for storing said digital certificate or a 
reference thereto at saiji server machine; 

computeit-readable program code means for establishing a session from said 
server machine to a host system using a legacy host communication protocol; 

computer-neadable program code means for passing said stored digital certificate 
or said reference from saial server machine to a host access security system; 

computer-readable program code means, operable in said host access security 
system, for authenticating said identity using said passed digital certificate or a retrieved 
certificate which is retrieved using said reference; 

computer-readable program code means for using said passed or retrieved digital 
certificate to locate access credentials for said user; 

computer-readable program code means for accessing a stored password or 
generating a password substitute Representing said located credentials; and 
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22 computer-readable program code means for using said stored password or said 

23 generated password substitute to transparently complete said first sign-on to a secure legacy host 

24 application executing at said host system; and 

25 computer-readable program code means for processing a second sign-on during said 

26 secure session using a second digital certificate for a second identity, wherein said second sign- 

27 on requests access to saia secure legacy host application or a different legacy host application by 

28 said user or by a different User, further comprising: 

29 computer-readable program code means for receiving a second sign-on request 

30 using said second digital certificate for said second identity; 

3 1£ computer-reaaable program code means for passing said second digital certificate 

32M= or a second certificate reference from said server machine to said host access security system; 
3 W computer-readable program code means, operable in said host access security 

y\ \ 

34|_**" system, for authenticating said second identity using said passed second digital certificate or a 

Q \ 

35\] second retrieved certificate which is retrieved using said second certificate reference; 

361i computer-readablevprogram code means, operable in said host access security 

5 1 

37& system, for using said passed second digital certificate or said second retrieved certificate to 

38 locate second access credentials; 1 

39 computer-readable program code means for accessing a second stored password 

40 or generating a second password substitute representing said second credentials; and 

41 computer-readable program code means for using said second stored password or 

42 said second password substitute to transparently complete said second sign-on to said secure 

43 legacy host application executing at said host system or said different legacy host application. 
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2. The computer program product as claimed in Claim 1, wherein said digital certificate is 
an X.509 certificate and said digital certificate reference and second certificate reference are 
references to an XJ509 certificate. 

3. The computer program product as claimed in Claim 1, wherein said communication 
protocol is a 3270 emulation protocol. 

4. The computer program product as claimed in Claim 1, wherein said communication 
protocol is a 5250 emulation protocol. 

5. The computer program product as claimed in Claim 1, wherein said communication 
protocol is a Virtual Termmal protocol. 

6. The computer program product as claimed in Claim 3, wherein said host access security 
system is a Resource AccesslControl Facility (RACF) system. 

7. The computer program product as claimed in Claim 1, wherein said computer-readable 
program code means for processing said second sign-on further comprises computer-readable 
program code means for storing said second digital certificate. 



8. The computer program product as claimed in Claim 1 , wherein: 
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said computer-readable program code means for processing said first sign-on further 



comprises: 



computer-readable program code means for requesting by said legacy host 



application, responsive to said computer-readable program code means for establishing said 
session, first sign-on information for said user; 

computer-readable program code means for responding to said request for first 
sign-on information by pending a first sign-on message with placeholders from said client 
machine to said server nLchine, said placeholders representing a user identification and a 
password of said user; anq 

computer-readable program code means for substituting a user identifier 
associated with said located access credentials and said stored password or said generated 
password substitute for said placeholders in said first sign-on message; and 

said computer-readable program code means for processing said second sign-on further 
comprises: 

computer-readible program code means for requesting, by said legacy host 
application, second sign-on information for said second identity; 



computer-readal 
sign-on information by sending 
machine to said server machine, 



>le program code means for responding to said request for second 
a second sign-on message with placeholders from said client 
said placeholders representing a different user identification and 
a different password of said secc wd identity; and 

computer-readable program code means for substituting said second user 
identifier associated with said se xmd access credentials and said second stored password or said 
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second password substitute for said placeholders in said second sign-on message. 



9. A system for enabling an identity change during a certificate-based host access session, 



compnsing: 

means for pr< 
further comprising 

means 



cessing a first sign-on during a secure session using a digital certificate, 



machine using said d 



for establishing said secure session from a client machine to a server 
jital certificate, wherein said digital certificate represents an identity of 
said client machine oria user thereof; 

means ipr storing said digital certificate or a reference thereto at said server 

machine; 

means fdr establishing a session from said server machine to a host system using a 
legacy host communication protocol; 



means foi 
machine to a host access 



reference; 

means for 
credentials for said user; 

means fo] 
representing said located 
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passing said stored digital certificate or said reference from said server 
security system; 

means, operable in said host access security system, for authenticating said 
identity using said passed digital certificate or a retrieved certificate which is retrieved using said 



using said passed or retrieved digital certificate to locate access 

accessing a stored password or generating a password substitute 
credentials; and 

-46- 
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21 means for using said stored password or said generated password substitute to 

22 transparently complete said first sign-on to a secure legacy host application executing at said host 

23 system; and \ 

24 means for processing a second sign-on during said secure session using a second digital 

25 certificate for a secoAd identity, wherein said second sign-on requests access to said secure 

26 legacy host application or a different legacy host application by said user or by a different user, 

27 further comprising: \ 

28 means fir receiving a second sign-on request using said second digital certificate 

29 for said second identity;! 

3g means fonpassing said second digital certificate or a second certificate reference 

3l from said server machine to said host access security system; 

^ means, opeiable in said host access security system, for authenticating said second 

ru \ 

33 identity using said passed second digital certificate or a second retrieved certificate which is 

O \ 

t4 retrieved using said second certificate reference; 

j=ti \ 

means, operable in said host access security system, for using said passed second 

f6 digital certificate or said second retrieved certificate to locate second access credentials; 

37 means for accessing a second stored password or generating a second password 

38 substitute representing said second credentials; and 

39 means for using skid second stored password or said second password substitute 

40 to transparently complete said seaond sign-on to said secure legacy host application executing at 

41 said host system or said different legacy host application. 



RSW9-2000-0081-US1 



10. The system as claimed in Claim 9, wherein said digital certificate is an X.509 certificate 
and said digital certificate reference and second certificate reference are references to an X.509 
certificate. \ 

1 1 . The system aa claimed in Claim 9, wherein said communication protocol is a 3270 
emulation protocol. \ 

12. The system as claimed in Claim 11, wherein said host access security system is a 
Resource Access Control\Facility (RACF) system. 

13. The system as claimed in Claim 9, wherein said means for processing said second sign-on 
further comprises means fonstoring said second digital certificate. 

1 4. The system as claimea in Claim 9, wherein: 

said means for processing said first sign-on further comprises: 

means for requesting by said legacy host application, responsive to said means for 
establishing said session, first sign-on information for said user; 

means for responding to said request for first sign-on information by sending a 
first sign-on message with placeholders from said client machine to said server machine, said 
placeholders representing a usef identification and a password of said user; and 

means for substituting a user identifier associated with said located access 
credentials and said stored passwora or said generated password substitute for said placeholders 
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in said first sign-on message; and 

said means for processing said second sign-on further comprises: 

means for requesting, by said legacy host application, second sign-on information 
for said second identity! 

means foA responding to said request for second sign-on information by sending a 
second sign-on message with placeholders from said client machine to said server machine, said 
placeholders representing \ different user identification and a different password of said second 
identity; and 

means for substituting said second user identifier associated with said second 
access credentials and said second stored password or said second password substitute for said 
placeholders in said second sign-on message. 



15. A method for enabling) an identity change during a certificate-based host access session, 
comprising the steps of: 

processing a first sign-<{>n during a secure session using a digital certificate, further 
comprising the steps of: 

establishing saiji secure session from a client machine to a server machine using 
said digital certificate, whereirj said digital certificate represents an identity of said client 
machine or a user thereof; 

storing said didital certificate or a reference thereto at said server machine; 
establishing a s ession from said server machine to a host system using a legacy 



host communication protocol; 
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passing said stored digital certificate or said reference from said server machine to 
a host access security system; 

authenticating, by said host access security system, said identity using said passed 
digital certificate or k retrieved certificate which is retrieved using said reference; 

using said passed or retrieved digital certificate to locate access credentials for 
said user; 1 

accessing a stored password or generating a password substitute representing said 
located credentials; anil 

using said stored password or said generated password substitute to transparently 
complete said first signW to a secure legacy host application executing at said host system; and 
processing a second sign-on during said secure session using a second digital certificate 
for a second identity, whirein said second sign-on requests access to said secure legacy host 
application or a different Bpgacy host application by said user or by a different user, further 
comprising the steps of: 1 

receiving a second sign-on request using said second digital certificate for said 
second identity; 1 

passing said second digital certificate or a second certificate reference from said 
server machine to said host access security system; 

authenticating, by said host access security system, said second identity using said 
passed second digital certificate or a second retrieved certificate which is retrieved using said 
second certificate reference; I 

using, by said Host access security system, said passed second digital certificate or 
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said second retrieved certificate to locate second access credentials; 

accessing a second stored password or generating a second password substitute 
representing said seopnd credentials; and 

using said second stored password or said second password substitute to 
transparently completelsaid second sign-on to said secure legacy host application executing at 
said host system or saicA different legacy host application. 

16. The method as cliimed in Claim 15, wherein said digital certificate is an X.509 certificate 
and said digital certificate\reference and second certificate reference are references to an X.509 
certificate. 

17. The method as claimed in Claim 15, wherein said communication protocol is a 3270 
emulation protocol. 



18. The method as claimed in Claim 1 7, wherein said host access security system is a 



Resource Access Control Faci 



ity (RACF) system. 



19. The method as claimed in Claim 15, wherein said step of processing said second sign-on 
further comprises the step of storing said second digital certificate. 



20. The method as claimed m Claim 15, wherein: 

said step of processing said first sign-on further comprises the steps of: 
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requesting by said legacy host application, responsive to said step of establishing 
said session, first si^Jn-on information for said user; 

responding to said request for first sign-on information by sending a first sign-on 
message with placeholders from said client machine to said server machine, said placeholders 
representing a user identification and a password of said user; and 

substituting a user identifier associated with said located access credentials and 
said stored password or paid generated password substitute for said placeholders in said first 
sign-on message; and 

said step of processing said second sign-on further comprises the steps of: 

requesting,\by said legacy host application, second sign-on information for said 
second identity; 

responding tb said request for second sign-on information by sending a second 
sign-on message with placeholders from said client machine to said server machine, said 
placeholders representing a different user identification and a different password of said second 
identity; and 

substituting saM second user identifier associated with said second access 
credentials and said second stc red password or said second password substitute for said 
placeholders in said second sign-on message. 
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